Banking institutions must practice more due diligence when it comes to account activity monitoring - and greater reliance on big data would help, the expert advises.

On Feb. 5, federal authorities arrested 13 individuals allegedly connected to one of the biggest payment card schemes ever uncovered by the Department of Justice. The defendants' alleged criminal enterprise - built on synthetic, or fake, identities and fraudulent credit histories - crossed numerous state and international borders, investigators say.

The scheme involved the creation of false identities used to create fraudulent credit profiles, falsified information to establish creditworthiness with the credit bureaus and large loans that were never repaid by the fraudsters, according to court records that were recently unsealed.

The defendants have been accused of moving millions of dollars through accounts under their control, as well as wiring millions of dollars overseas. An investigative analysis of 169 bank accounts allegedly used by the defendants, their "sham" companies and/or complicit businesses identified $60 million in proceeds that had flowed through the numerous accounts, with most of those funds being withdrawn in cash, investigators say.

Additionally, those charged allegedly wired millions of dollars to Pakistan, India, the United Arab Emirates, Canada, Romania, China and Japan, authorities say. Due to the massive scope of the case, which involved more than 25,000 fraudulent credit cards, loss calculations are ongoing. Final figures may grow beyond the confirmed losses of more than $200 million.

Cybercrime experts from the Federal Bureau of Investigation have been investigating the case for 18 months. Several other individuals allegedly connected to the scheme were arrested earlier. So far, 18 individuals have been charged with bank fraud and face up to 30 years in prison and a $1 million fine.

Difficult to Trace

Micah Willbrand, director of AML market planning for LexisNexis' financial services division, says the two-year alleged scheme, which involved opening numerous business bank accounts, establishing high-scoring credit reports and moving funds to accounts in high-risk international markets, should have raised flags sooner. Unfortunately, international schemes are often the most difficult to trace, he says.

Bank Secrecy Act and AML regulations do not require banks to identify or scrutinize the recipient of funds associated with high-risk transactions, Willbrand says. "Laws and regulations today only require that the bank have KYC [know the customer] in place for the sender, not the receiver of money," he says.

And financial institutions have been reluctant, until recently, to push the envelope. Jurisdictional challenges related to international transactions would require banks to do a lot more leg work to verify the authenticity, risk and identity of a recipient to parallel the due diligence and KYC controls they have in place for senders, Willbrand says.

But card fraud schemes demonstrate why it's imperative to have KYC controls in place for both senders and recipients, he adds.

"With FACTA [Fair and Accurate Credit Transactions Act], all countries are realizing we need to know more about who's receiving the money. We need to be more transparent about how money is moving around the world, and that is something everyone is coming around to."

Moving Money

Authorities charge that the defendants and their conspirators in this case allegedly created more than 7,000 false identities and fraudulently obtained tens of thousands of credit cards they used to purchase lavish goods and stockpile large sums of cash.

The enterprise allegedly maintained more than 1,800 so-called "drop addresses," including houses, apartments and post office boxes, used as the mailing addresses for the synthetic identities. These IDs were used to create dozens of sham companies that did little or no legitimate business, investigators allege. Through those sham companies, the defendants and their co-conspirators purchased credit card terminals used to run up charges on fraudulent credit cards, authorities charge.

The sham companies established merchant accounts with merchant processors, investigators say. Those processors deposited funds they received from the credit card companies for charges made by the sham companies into business bank accounts opened by the alleged criminal enterprise. If a merchant processor shut down an account for some reason, the conspirators established a new business name and applied for new terminals, investigators allege.

The fake companies also served as "furnishers," providing false information to the credit bureaus about the credit histories of the synthetic identities they had affiliated with the companies. They then used lines of credit to increase their borrowing ability from card issuers and added authorized users to their credit card accounts to improve credit histories.

Authorities charge that the alleged criminal enterprise also relied on complicit businesses, including several jewelry stores in Jersey City, N.J., to conduct sham transactions on fraudulent cards to receive the proceeds from the credit card companies. Those proceeds would then be split with the alleged conspirators, investigators say.

"This elaborate network utilized thousands of false identities, fraudulent bank accounts, fake companies, and collusive merchants to defraud financial institutions of hundreds of millions of dollars in order to facilitate extravagant lifestyles they could otherwise not afford," FBI Special Agent David Velazquez says in the arrest announcement.

The Big Data Challenges

Willbrand says banking institutions have not done enough to monitor accounts or risk profiles after the initial review at account opening.

"Transaction monitoring and core banking systems, when they do risk ratings, tend to work in a vacuum," he says. "They set rules and say if something goes outside those boundaries, something is wrong. But the systems don't take into account any customer information or due diligence after the account is created."

Once the bank accepts who the owner of an account is, then that account owner is not typically reviewed again, Willbrand explains. "If they had gone back to review some these identities in this case, then some of that would have come out sooner," he adds.

Credit reporting bureaus, however, are building in more monitoring around synthetic identities, Willbrand adds, but their information is limited. "They are only looking at their files, rather than comparing their information with all of the other data out there, like where these 'identities' live and have lived, what their profiles are internationally, and what their credit is with the other bureaus."

Those challenges are amplified when transactions and accounts start crossing international borders. Data about identities is not combined internationally, Willbrand says. The only way to get an accurate profile is by cross-checking public records with utility bills and bank accounts around the world, he says.

Banking institutions are just starting to address some of these big data concerns, Willbrand adds. "[Recently] we have seen a high level ... of attention being paid to enhancing this due diligence area."

Willbrand says the manual review and overlaying of information can be too demanding for some banking institutions, especially smaller ones. But a number of companies are now offering automated or partially automated services to help banks and credit unions develop more inclusive profiles of customers and members, he says.

"To a certain extent, it is a big data approach," Willbrand says. "It allows you to bring out red flags that you would not have been able to raise four or five years ago."

About the Author

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.